Thoughts on callout semantics
30 August 2023 | 5:54 am

Interesting proposal! Some thoughts:

  • I’d suggest looking into the doc-notice, doc-tip, and doc-example DPUB-ARIA roles. I’m a big fan of DPUB-ARIA and I do not think it is used enough. I believe Google’s Talkback has the most robust support for it put of any AT I’m familiar with.

  • I’m not convinced that a cot element is necessary. I think a heading with aria-labelledby would work better as a way to name a callout, and an attribute (or DPUB-ARIA role) could better specify the type of callout.

Funnily enough, I’m thinking about my own proposal for a spoiler element which also has similar structure to—but different semantics from—the details element.

Targeting secure browser profiles
29 August 2023 | 2:10 am

It’s hard to target browsers’ secure profiles. Safari’s Lockdown Mode disables a dozen or so APIs and a handful of other features; the Tor Browser disables another handful of features; Microsoft Edge will likely land more changes to Enhanced Security mode in the coming years. Barely any of this is documented.

I filed a bug in MDN’s BCD tracker to fill this gap, listing what I knew. We can’t expect developers to navigate the dozens of WebKit blog posts and Tor Browser JSM files to figure out which features are disabled. Of course, progressive enhancement should be the norm, but it’s helpful to have a real baseline.

Fingerprinting and customization
28 August 2023 | 8:52 pm

These addons work by injecting or altering stylesheets in the page, and are trivially detectable. A good rule of thumb is that if it can trigger a CSP violation in the developer console, it is trivial to detect with JavaScript.

(FWIW: I believe the Tor Browser does disable the Reporting API, so I think some JavaScript will be necessary).

On “safest” mode with remote JavaScript disabled, certain “dark mode” addons might be safe. I think a better long-term solution would be the ability to “freeze” a page: a button or something to prevent the current page from initiating further requests (it’s already loaded), running scripts, accessing storage, etc. In this state, a user could use any addons or fingerprinting-compromising settings without risk.

A good point of comparison is Reader Mode: a user’s preferred Reader Mode fonts, line-width, color scheme, etc. aren’t fingerprinting vectors. It should be able to stop a site from phoning home or writing to client-side storage to allow for similar levels of customization outside Reader Mode.

Other sources of inspiration could be the expected behavior for the scripting: initial-only media query, and Firefox’s built-in “Work Offline” setting.

More News from this Feed See Full Web Site